This past Thursday, the Detroit-based reselling platform sent out an e-mail regarding an alleged update to the site's system, urging users to reset their passwords in order to resume use of the service. However, the e-mail did not detail what lead to the update. In a statement issued by a spokesman to TechCrunch, StockX admitted that it had been alerted to suspicious activity involving the platform, but that may not have been the entire story.
According to Whittaker, an unnamed data breach seller contacted TechCrunch claiming that the information of more than 6.8 million users was stolen from StockX back in May. After being provided with a sample of 1,000 records by the seller, TechCrunch contacted the individual customers and provided them with unique information, including their real name, username combination and shoe size. Every person confirmed their data was accurate. The data is already being sold on the dark web for about $300.
Perhaps compounding the issue is the company's silence on the matter thus far. We reached out to StockX for a comment, but they did not respond. Information Security Analyst Cassie Brunetto tells us why that could be a problem for the company moving forward.
"The longer StockX takes to make a statement, the less credibility they will have," said Brunetto. "I think they handled the disclosure unethically and probably in the worst way possible. I'm curious to know what vulnerability was exploited though, because this could potentially expose holes that were or still are present in their systems and processes. As a consumer, I would be apprehensive about doing business with them going forward because I'm concerned about my data privacy and security."
Last month, StockX was valued at over $1 billion following a $110 million Series C funding round from DST Global, General Atlantic, and GGV Capital.
UPDATE (8/3): Shortly after 10pm EST, StockX sent an email to customers and posted a message on its website acknowledging that "an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history." The company maintains that the system update it implemented on Thursday was taken as a precautionary measure, as it "did not yet know the nature, extent, or scope of suspicious activity to which we had been alerted." StockX also says that per its investigation, no evidence suggests that customer financial or payment information has been impacted. However, some Twitter users have pointed out that fraudulent purchases have been made through their accounts. You can read StockX's full statement regarding the breach and ongoing investigation here.
UPDAYE (8/8): After initially acknowledging the data breach on Saturday, StockX's recently appointed CEO Scott Cutler has now issued a lengthier statement on the hack. Cutler's letter personally apologizes to customers affected by the breach and reiterates the specifics contained in Saturday's email.
In addition to assuring users that steps were taken immediately upon discovering the hack on July 26, StockX is now offering free services to provide fraud detection and identity theft protection for a year. Interested parties can visit https://ide.myidcare.com/stockx/ for more information.